Misconceptions and misunderstandings abound when it comes to insider threats. Many organizations fail to identify the scope and severity of risk posed by insiders because they adhere to mistaken beliefs about what kind of insiders present danger to their organizations and how. Similarly, misapprehension about security controls further adds to misapplied mitigation efforts.
If organizations are to work on reducing insider risks, then they first need to bust the myths around them that could be holding back their progress. Continue reading Top 5 Myths About Insider Threats
Cisco IOS XR Software contains a vulnerability when handling crafted packets that may result in a denial of service condition. The vulnerability only exists on Cisco 9000 Series Aggregation Services Routers (ASR) Route Switch Processor (RSP440) and Cisco Carrier Routing System (CRS) Performance Route Processor (PRP). The vulnerability is a result of improper handling of crafted packets and could cause the route processor, which processes the packets, to be unable to transmit packets to the fabric. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link:
A posting to pastebin, but a group that calls itself “Cyber Warrior Team from Iran”, claims to have breached a NASA website via a “Man in the Middle” attack. The announcement is a bit hard to read due to the broken english, but here is how I parse the post and the associated screenshot:
The “Cyber Warrior Team” used a tool to scan NASA websites for SSL misconfigurations. They came across a site that used an invalid, likely self signed or expired certificate. Users visiting this web site would be used to seeing a certificate warning. This made it a lot easier to launch a man in the middle attack. In addition, the login form on the index page isn’t using SSL, making it possible to intercept and modify it unnoticed. Continue reading Stop using self signed or invalid certificates
Two researchers have proposed an extension to TLS, or transport layer security, as a solution to some of the security challenges facing the Secure Sockets Layer certificate ecosystem.
Their proposal comes after a troublesome year for certificate authorities (CAs) during which a number of high-profile CA security breaches shook the IT industry’s confidence in SSL certificates and raised questions about whether it was time to develop some new certification process. Continue reading Researchers Propose Way to Thwart Fraudulent Digital Certificates
Security researchers from Kaspersky have profiled a new SpyEye plugin known as flashcamcontrol.dll which takes control of the victim’s webcam and microphone.
There’s insecure software, and then there’s insecure code samples available online in open source, Web forums, developer manuals, and even university materials. A brand-new project quietly launched last week aims to eradicate this source of bad code, which feeds into the cycle of insecure software development. Continue reading Project Finds, Purges Vulnerable Code Snippets From The Net